From ca3c42d865e122d3ad5abfcfe9ce14d97ca427a3 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 14 Apr 2021 14:32:19 -0400 Subject: [PATCH 1/5] deprecate starting verifications without first requesting --- ...-starting-verifications-without-request.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 proposals/xxxx-deprecate-starting-verifications-without-request.md diff --git a/proposals/xxxx-deprecate-starting-verifications-without-request.md b/proposals/xxxx-deprecate-starting-verifications-without-request.md new file mode 100644 index 00000000..3d0ec821 --- /dev/null +++ b/proposals/xxxx-deprecate-starting-verifications-without-request.md @@ -0,0 +1,37 @@ +# MSCxxxx: Depretate starting key verifications without requesting first + +Currently, the spec allows a device to begin a verification via to-device +messages by sending an `m.key.verification.start` event without first sending +or receiving an `m.key.verification.request` message. However, doing so does +not provide a good user experience, and allowing this adds unnecessary +complexity to implementations. + +We propose to deprecate allowing this behaviour. + +Note that verifications in DMs do not allow this behaviour. Currently, Element +Web is the only client known to do this. + +## Proposal + +The ability to begin a key verification by sending an +`m.key.verification.start` event as a to-device event without a prior +`m.key.verification.request` is deprecated. New clients should not begin +verifications in this way, but will still need to accept verifications begun in +this way, until it is removed from the spec. + +## Potential issues + +None. + +## Alternatives + +We could do nothing and leave it in the spec. But we should clean up cruft when +possible. + +## Security considerations + +None. + +## Unstable prefix + +No unstable prefix is removed since we are simply deprecating behaviour. From e0ec01a999c5f2a6e31f57968ef2a0a77d636654 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 14 Apr 2021 14:33:57 -0400 Subject: [PATCH 2/5] use MSC number --- ...=> 3122-deprecate-starting-verifications-without-request.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename proposals/{xxxx-deprecate-starting-verifications-without-request.md => 3122-deprecate-starting-verifications-without-request.md} (94%) diff --git a/proposals/xxxx-deprecate-starting-verifications-without-request.md b/proposals/3122-deprecate-starting-verifications-without-request.md similarity index 94% rename from proposals/xxxx-deprecate-starting-verifications-without-request.md rename to proposals/3122-deprecate-starting-verifications-without-request.md index 3d0ec821..ba4b2d7f 100644 --- a/proposals/xxxx-deprecate-starting-verifications-without-request.md +++ b/proposals/3122-deprecate-starting-verifications-without-request.md @@ -1,4 +1,4 @@ -# MSCxxxx: Depretate starting key verifications without requesting first +# MSC3122: Depretate starting key verifications without requesting first Currently, the spec allows a device to begin a verification via to-device messages by sending an `m.key.verification.start` event without first sending From fbbdd0f6ccbefde1dc11ddfe346b57867050d24a Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 14 Apr 2021 14:42:21 -0400 Subject: [PATCH 3/5] I should pay attention when my editor says that things are misspelled --- .../3122-deprecate-starting-verifications-without-request.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/3122-deprecate-starting-verifications-without-request.md b/proposals/3122-deprecate-starting-verifications-without-request.md index ba4b2d7f..981721d8 100644 --- a/proposals/3122-deprecate-starting-verifications-without-request.md +++ b/proposals/3122-deprecate-starting-verifications-without-request.md @@ -1,4 +1,4 @@ -# MSC3122: Depretate starting key verifications without requesting first +# MSC3122: Deprecate starting key verifications without requesting first Currently, the spec allows a device to begin a verification via to-device messages by sending an `m.key.verification.start` event without first sending From 620278786ddb10f84ffcd889a385f217870c618f Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Tue, 20 Apr 2021 11:39:26 -0400 Subject: [PATCH 4/5] Update proposals/3122-deprecate-starting-verifications-without-request.md Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- .../3122-deprecate-starting-verifications-without-request.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/3122-deprecate-starting-verifications-without-request.md b/proposals/3122-deprecate-starting-verifications-without-request.md index 981721d8..110f1377 100644 --- a/proposals/3122-deprecate-starting-verifications-without-request.md +++ b/proposals/3122-deprecate-starting-verifications-without-request.md @@ -34,4 +34,4 @@ None. ## Unstable prefix -No unstable prefix is removed since we are simply deprecating behaviour. +No unstable prefix is required since we are simply deprecating behaviour. From adbe95259f596c42b9d2bf7c9cdf0582c6300492 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Tue, 20 Apr 2021 11:43:10 -0400 Subject: [PATCH 5/5] add link to relevant spec --- ...recate-starting-verifications-without-request.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/proposals/3122-deprecate-starting-verifications-without-request.md b/proposals/3122-deprecate-starting-verifications-without-request.md index 110f1377..9a00699b 100644 --- a/proposals/3122-deprecate-starting-verifications-without-request.md +++ b/proposals/3122-deprecate-starting-verifications-without-request.md @@ -1,10 +1,13 @@ # MSC3122: Deprecate starting key verifications without requesting first -Currently, the spec allows a device to begin a verification via to-device -messages by sending an `m.key.verification.start` event without first sending -or receiving an `m.key.verification.request` message. However, doing so does -not provide a good user experience, and allowing this adds unnecessary -complexity to implementations. +Currently, the [Key verification +framework](https://spec.matrix.org/unstable/client-server-api/#key-verification-framework) +allows a device to begin a verification via to-device messages by sending an +`m.key.verification.start` event without first sending or receiving an +`m.key.verification.request` message. (The last sentence of the 5th paragraph +of the Key verification framework in the unstable spec, as of the time of +writing.) However, doing so does not provide a good user experience, and +allowing this adds unnecessary complexity to implementations. We propose to deprecate allowing this behaviour.